README
¶
PKI
What is this?
A tool to ease the headache of PKI infrastructure generation.
How to install
Open a terminal and run the following:
$ # For library usage
$ go get --ldflags "-s -w" --trimpath -u github.com/mjwhitta/pki
$ # For cli usage
$ go install --ldflags "-s -w" --trimpath \
github.com/mjwhitta/pki/cmd/certify@latest
Or compile from source:
$ git clone https://github.com/mjwhitta/pki.git
$ cd pki
$ git submodule update --init
$ make
Usage
Note: Regardless of how you use this Go tool, you should be aware that the certificates on disk are used as a database. Moving or removing files can lead to unintended side-effects (failure to revoke, etc...). You have been warned.
CLI
To get started with a simple PKI:
$ mkdir -p .../path/to/pki
$ certify --sample >.../path/to/pki/.cfg
$ # Modify .cfg as needed
$ certify --pki .../path/to/pki
You now have a PKI with a self-signed CA ready to go. If you would
like to use your own CA (maybe an intermediate CA signed by a Trusted
Root CA), now is the time to overwrite ca/ca.cert.pem and
private/ca.key.pem in the PKI directory. You can delete or overwrite
the DER files as well. See certify --help for what to do next.
$ # Create server certificate
$ certify --pki .../path/to/pki test.example.com
$ # Create wildcard certificate
$ certify --pki .../path/to/pki "example.com:*.example.com"
Library
package main
import "github.com/mjwhitta/pki"
func main() {
var e error
var p *pki.PKI
// Create PKI structure
if p, e = pki.New(".../path/to/pki", pki.NewCfg()); e != nil {
panic(e)
}
// Create CA
if _, _, e = p.CreateCA(); e != nil {
panic(e)
}
// Create server Certificate
_, _, e = p.CreateCertFor("test.example.com", pki.ServerCert)
if e != nil {
panic(e)
}
// Create wildcard Certificate
_, _, e = p.CreateCertFor(
"example.com",
pki.ServerCert,
"*.example.com",
)
if e != nil {
panic(e)
}
// Sync the ders and pems directories for convenience
if e = p.Sync(); e != nil {
panic(e)
}
}
Links
TODO
- Consider support for intermediary CAs
Documentation
¶
Overview ¶
Package pki provides a platform-independent means of generating PKI infrastructure. It will accept a filepath (directory) and Cfg then create a Certificate Authority (CA) for signing client or server X509 Certificates. Below is some sample code to create a default self-signed PKI:
var e error
var p *pki.PKI
if p, e = pki.New("/pki/root/dir", pki.NewCfg()); e != nil {
panic(e)
}
From there, client and server Certificates can be created or Certificate Signing Requests (CSRs) can be imported and used to generate a Certificate for a third-party.
The PKI infrastructure contains a built-in database for tracking generated Certificates and if/when they expired or were revoked.
Index ¶
- Constants
- type CertType
- type Cfg
- func (cfg *Cfg) City(c string)
- func (cfg *Cfg) CommonName(cn string)
- func (cfg *Cfg) Company(c string)
- func (cfg *Cfg) Country(c string)
- func (cfg *Cfg) Locality(l string)
- func (cfg *Cfg) Organization(o string)
- func (cfg *Cfg) OrganizationalUnit(ou string)
- func (cfg *Cfg) Province(p string)
- func (cfg *Cfg) SetOption(k, v string) error
- func (cfg *Cfg) State(s string)
- func (cfg *Cfg) String() string
- func (cfg *Cfg) Subject(cn ...string) pkix.Name
- func (cfg *Cfg) Unit(u string)
- type PKI
- func (p *PKI) CreateCA() (*x509.Certificate, *rsa.PrivateKey, error)
- func (p *PKI) CreateCSRFor(cn string, key *rsa.PrivateKey, alts ...string) (*x509.CertificateRequest, error)
- func (p *PKI) CreateCertFor(cn string, certType CertType, alts ...string) (*x509.Certificate, *rsa.PrivateKey, error)
- func (p *PKI) CreateRSAKeyFor(cn string) (*rsa.PrivateKey, error)
- func (p *PKI) Erase() error
- func (p *PKI) Fingerprint(cert *x509.Certificate) string
- func (p *PKI) FingerprintFor(cn string) string
- func (p *PKI) GetCAFile() string
- func (p *PKI) GetCSRFileFor(cn string) string
- func (p *PKI) GetCertFileFor(cn string) string
- func (p *PKI) GetKeyFileFor(cn string) string
- func (p *PKI) HasCA() bool
- func (p *PKI) HasCSRFor(cn string) bool
- func (p *PKI) HasCertFor(cn string) bool
- func (p *PKI) HasKeyFor(cn string) bool
- func (p *PKI) HasSigned(cert *x509.Certificate) bool
- func (p *PKI) ImportCSR(fn string) error
- func (p *PKI) IsExpired(cert *x509.Certificate) bool
- func (p *PKI) IsRevoked(cert *x509.Certificate) (bool, error)
- func (p *PKI) RevokeCert(cert *x509.Certificate) error
- func (p *PKI) RevokeCertFor(cn string) (*x509.Certificate, error)
- func (p *PKI) Sync() error
- func (p *PKI) Undo() error
Constants ¶
const Version string = "1.4.9"
Version is the package version.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Cfg ¶
Cfg contains any relevant configuration options for creating PKI infrastructure.
func CfgFromFile ¶
CfgFromFile will parse the specified file and create a new Cfg instance.
func (*Cfg) CommonName ¶
CommonName will set the CN in the certificate's subject.
func (*Cfg) Organization ¶
Organization will set the O in the certificate's subject.
func (*Cfg) OrganizationalUnit ¶
OrganizationalUnit will set the OU in the certificate's subject.
type PKI ¶
PKI is a structure that contains the PKI config, key size for generated Certificates, and the root of the PKI infrastructure.
func New ¶
New will return a pointer to a new PKI instance as well as initialized the PKI infrastructure on disk.
func (*PKI) CreateCA ¶
func (p *PKI) CreateCA() (*x509.Certificate, *rsa.PrivateKey, error)
CreateCA will create a new self-signed CA Certificate and return the Certificate with its associated private key. If a CA and key already exist on disk, they will be parsed and returned instead.
func (*PKI) CreateCSRFor ¶
func (p *PKI) CreateCSRFor( cn string, key *rsa.PrivateKey, alts ...string, ) (*x509.CertificateRequest, error)
CreateCSRFor will create a Certificate request for the specified CommonName, signed by the provided private key.
func (*PKI) CreateCertFor ¶
func (p *PKI) CreateCertFor( cn string, certType CertType, alts ...string, ) (*x509.Certificate, *rsa.PrivateKey, error)
CreateCertFor will create a Certificate for the specified CommonName, signed by the PKI's CA. The new Certificate and its associated private key will be returned. If a Certificate and key already exist on disk, they will be parsed and returned instead. See CertType for supported Certificate types.
func (*PKI) CreateRSAKeyFor ¶
func (p *PKI) CreateRSAKeyFor(cn string) (*rsa.PrivateKey, error)
CreateRSAKeyFor will create an RSA private key for the specified CommonName.
func (*PKI) Erase ¶
Erase will erase all PKI related files and directories. Be careful. This is non-reversible.
func (*PKI) Fingerprint ¶
func (p *PKI) Fingerprint(cert *x509.Certificate) string
Fingerprint will return the sha1 hash of the provided Certificate.
func (*PKI) FingerprintFor ¶
FingerprintFor will return the sha1 hash of the Certificate for the specified CommonName, should it exist. If the Certificate does not exist or is revoked, it will return empty string.
func (*PKI) GetCAFile ¶
GetCAFile will return the filepath for the CA. There is no guarantee that the file exists. Use HasCA() first.
func (*PKI) GetCSRFileFor ¶
GetCSRFileFor will return the filepath for the CSR. There is no guarantee that the file exists. Use HasCSRFor() first.
func (*PKI) GetCertFileFor ¶
GetCertFileFor will return the filepath for the Certificate. There is no guarantee that the file exists. Use HasCertFor() first.
func (*PKI) GetKeyFileFor ¶
GetKeyFileFor will return the filepath for the private key. There is no guarantee that the file exists. Use HasKeyFor() first.
func (*PKI) HasCA ¶
HasCA will return whether or not a CA already exists. This only checks if the file exists on disk. It does not validate that the file contains a valid Certificate.
func (*PKI) HasCSRFor ¶
HasCSRFor will return whether or not a CSR for the specified CommonName already exists. This only checks if the file exists on disk. It does not validate that the file contains a valid CSR.
func (*PKI) HasCertFor ¶
HasCertFor will return whether or not a Certificate for the specified CommonName already exists. This only checks if the file exists on disk. It does not validate that the file contains a valid Certificate.
func (*PKI) HasKeyFor ¶
HasKeyFor will return whether or not a private key for the specified CommonName already exists. This only checks if the file exists on disk. It does not validate that the file contains a valid private key.
func (*PKI) HasSigned ¶
func (p *PKI) HasSigned(cert *x509.Certificate) bool
HasSigned will return whether or not the provided Certificate has been signed by the PKI's CA.
func (*PKI) ImportCSR ¶
ImportCSR will read the provided CSR and attempt import it into the PKI. If the embedded CommonName already has a Certificate or CSR, an error will be returned.
func (*PKI) IsExpired ¶
func (p *PKI) IsExpired(cert *x509.Certificate) bool
IsExpired will return whether or not the specified Certificate has expired. This takes a Certificate b/c a CommonName is not enough info with "unique_subject = no".
func (*PKI) IsRevoked ¶
func (p *PKI) IsRevoked(cert *x509.Certificate) (bool, error)
IsRevoked will return whether or not the specified Certificate has been revoked. This takes a Certificate b/c a CommonName is not enough info with "unique_subject = no".
func (*PKI) RevokeCert ¶
func (p *PKI) RevokeCert(cert *x509.Certificate) error
RevokeCert will revoke the provided Certificate.
func (*PKI) RevokeCertFor ¶
func (p *PKI) RevokeCertFor(cn string) (*x509.Certificate, error)
RevokeCertFor will revoke the oldest Certificate with the specified CommonName and return it for any post-processing, such as manually maintaining a Certificate Revocation List (CRL).
Source Files
Directories